Cyber security is becoming a major issue in financial services. Investment funds need to be aware of the increasing risks in this area and take steps to ensure such risks are mitigated as much as possible.

This update considers some of the legal risk mitigation measures that investment funds should consider in the area of cyber security.

Current Environment

Cybercrime is growing rapidly. The Center for Strategic and International Studies recently reported that assets of more than US$400 billion were stolen through cybercrime in 2014. In a financial services context, a cyber attack compromised over 80 million customers of one of the world's largest investment banking institutions.

Recently, investment funds (including some Irish investment funds) have been subjected to cyber attacks on their identity, leading to fraudulent scamming of investors. In most cases, a bogus website was established and investors were duped into investing monies electronically. Due to the online nature of cybercrime and the use of internet servers in a broad range of countries without the necessary jurisdictional co-operation established, it has proved extremely difficult for the relevant authorities to track the perpetrators and shut down the relevant websites.

From an Irish financial services regulatory perspective, such is the importance of ensuring that an effective and robust cyber security controls environment is in place, that the Central Bank of Ireland (the "CBI") has included 'cyber security / operational risk' as one of its themed inspection areas for 2015.

The CBI is not alone in this initiative, with the US Securities and Exchange Commission (the "SEC") recently publishing a detailed guidance, highlighting how important this issue is for registered investment companies and investment advisers. The UK Financial Conduct Authority (the "FCA") has also publicly stated that they have "established a large network of engagements and contacts to leverage a wide range of skills" in the area of cyber security.

Robust Cyber Security Controls

The CBI requires that entities ensure that they implement adequate and effective measures to reduce the risk of cyber attack by enhancing their cyber security controls environment.

As mentioned above, the CBI published its planned series of Themed Reviews1in markets supervision for 2015. As with previous years, the themed inspection areas overlap with the CBI's Enforcement Priorities2.

As part of its cyber security / operational risk themed inspection, the CBI is inspecting controls and procedures around system security and access of selected firms. Therefore, it is prudent to act now, rather than wait until being inspected.

Conclusion

Cyber security is an increasing commercial threat and is high on the agenda for regulators and lawmakers (with proposed legislation imminent). It is therefore crucial that robust systems and controls are put in place.

For further information and details of our expertise in this area, please speak to your usual Maples and Calder contact.